Friday, 1 August 2008

The SANS Institute installed and tested out Apple's fix for the underlying flaw in the domain name system (DNS) protocol, and found that a patched Leopard desktop (not Leopard Server) system hadn't changed risky behavior that's critical to avoiding this flaw being exploited.

As Rich Mogull and I noted in 'Apple Fails to Patch Critical Exploited DNS Flaw,' 2008-07-24, servers are at greatest risk from this DNS flaw. This flaw allows an attacker to push millions of fake responses for a DNS query to a server, and then poison the server's DNS entries if a forged entry that matches the right pattern beats to the punch the legitimate answer from the domain owner's DNS server.

However, computers used by individuals without DNS server software in operation can also be targeted by this flaw. With servers rapidly being patched worldwide, it's likely that the low-hanging fruit disappears, and vectors are designed to attack massive numbers of clients on ISP networks. Clients use stub resolvers, which forward requests for DNS answers to a full-blown, or recursive, DNS server run by their company, ISP, network provider, or co-location facility.

The flaw relies on a lack of predictability in how ports are assigned to outbound requests for domain name looks in a DNS query. If the ports are sequential - each query increments the port number used by one for each subsequent request - then an attacker has a smaller possible universe of forged responses they have to send.

By increasing entropy - choosing a random port - attackers can't produce enough packets fast enough to win the race with the legitimate DNS server, and can statistically nearly never poison the DNS cache. (This is a patch, not a fix, actually; DNS itself has to be overhauled to remove the fundamental weakness.)